Role-based authorization

Messaging security uses a simple role model in which a role contains the authorization permission required to perform a given operation. If messaging security is switched on, you must give any users who connect to a bus permission to carry out the operations that they need to perform. You do this by assigning them to the appropriate role or roles.

Note: A user is the entity that performs an operation such as initiating the sending of a message to a destination.

Roles

When you assign a user to a role, this grants the user all of the permissions that the role contains. Users can belong to groups, which are defined in the user registry, and you can also assign a group to a role. In this case, all the users who are members of the group are authorized to carry out the operations for which this role contains permissions. There are two special groups of users:

You can assign a user or group to the following types of roles:

Operations requiring authorization

When messaging security is switched on, all operations on the following objects require authorization:

Buses
When a user connects to a local bus, before the user is allowed to perform any further operations, a check is made that this user has permission to connect to this bus. If a user connected to a local bus wants to send a message to a destination in a foreign bus, the user must also be authorized to access the foreign bus.
Destinations
Users require authorization to send, receive, or browse all types of destination. Users who create a temporary destination need to be granted create permission on the destination prefix on which the temporary destination is based. The authorization permissions of a temporary destination are the same as those of the destination prefix on which it is based. The name of this special destination prefix appears as a prefix in the temporary destination name.
Topic spaces and topics
To access a topic within a topic space, a user must be authorized to access both the topic space, and the specific topics within this topic space. To make topic authorizations easier to manage, a topic by default inherits authorization permissions from its parent in the topic namespace. However, you can change these inherited permissions for any given topic, or you can turn this level of authorization off altogether for a topic space, in which case a check is made that the user is authorized to access the topic space, but no further checks are made at the topic level.

Default authorization permissions

The default authorization permissions provide you with a way of quickly granting access to all local destinations. When a bus is created, the default permissions are given initial values which grant all authenticated users access to all local destinations. If you are using mediations, you may want to use the default permissions to grant the mediations user default access to all local destinations.

The default permissions apply to all destinations in a local bus namespace. The default permissions are added to any specific permissions that you define for an individual local destination. You can, if required, turn off the inheritance of the default permissions for an individual destination, in which case only the specific permissions that you create for this destination are used for authorization checking.

For topic spaces, the default permissions are used for checking a user's authorization to access the topic space itself, and the virtual root of the topic space.

For alias destinations, the default permissions are added to the specific permissions for an individual alias destination, if the alias name (that is, the name of the alias itself, not the target destination name of the alias) is in the local bus namespace. If the alias destination is in the namespace of another bus, the default permissions do not apply.




Related concepts
Topic security
Authentication
Role-based authorization
Publish/subscribe messaging and topic spaces
Alias destinations
Learning about service integration security
Related tasks
Administering messaging security
Administering default roles through the command line
Administering foreign bus roles through the command line
Administering destination roles through the command line
Controlling which foreign buses can link to your bus
Administering access to foreign destinations
Concept topic    

Terms of Use | Feedback

Last updated: Sep 20, 2010 11:08:29 PM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=vela&product=was-nd-mp&topic=cjr0450_
File name: cjr0450_.html